Description
Contributor PHP Object Injection in Werkstatt <= 4.8.3 versions.
Published: 2026-07-02
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

WordPress Werkstatt theme versions up to 4.8.3 contain a PHP Object Injection flaw that allows an attacker to inject serialized PHP objects during data processing. This weakness, identified as CWE-502, can lead to arbitrary code execution if the application unserializes untrusted input. An attacker could potentially upload malicious payloads, execute code on the server, and gain full control of the affected WordPress site.

Affected Systems

The vulnerability affects the Fuelthemes Werkstatt WordPress theme in all releases up to and including 4.8.3. Sites that have deployed any version of Werkstatt 4.8.3 or earlier remain exposed until the theme is updated.

Risk and Exploitability

The CVSS score for this issue is 8.8, indicating high severity. EPSS data is not available, and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is remote via crafted HTTP requests or file uploads that manipulate the theme’s input handling. Exploitation requires that the theme’s code unserializes user‑supplied data, which it currently does, making the flaw exploitable in a typical WordPress deployment.

Generated by OpenCVE AI on July 2, 2026 at 15:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Werkstatt theme to the latest available version; if not yet patched in a newer release, contact the vendor for a fix.
  • If updating is not immediately possible, deactivate or remove the theme from the WordPress installation to eliminate the attack surface.
  • Review the theme files for any use of unserialize() on user‑supplied data and replace it with a secure alternative, ensuring that user input is properly validated before deserialization.

Generated by OpenCVE AI on July 2, 2026 at 15:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Jul 2026 11:30:00 +0000

Type Values Removed Values Added
Description Contributor PHP Object Injection in Werkstatt <= 4.8.3 versions.
Title WordPress Werkstatt theme <= 4.8.3 - PHP Object Injection vulnerability
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-07-02T15:53:44.804Z

Reserved: 2026-02-19T09:52:22.262Z

Link: CVE-2026-27414

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-02T15:30:05Z

Weaknesses
  • CWE-502

    Deserialization of Untrusted Data